From: Juliana Fajardini Date: Mon, 22 Aug 2022 18:29:03 +0000 (-0300) Subject: tests: test flow droped but applayer event logged X-Git-Tag: suricata-6.0.13~30 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1221%2Fhead;p=thirdparty%2Fsuricata-verify.git tests: test flow droped but applayer event logged It seems that Suricata will log an applayer event for a dropped flow, for the second packet of the flow. This test demonstrates such behavior, so we can investigate it. Related to Task #5510 --- diff --git a/tests/bug-5802/README.md b/tests/bug-5802/README.md new file mode 100644 index 000000000..626da18cd --- /dev/null +++ b/tests/bug-5802/README.md @@ -0,0 +1,16 @@ +# Description + +Ensure that Suricata logs the expected amount of applayer protocol events, +when there are packet and flow drops. + +# Expected behavior + +Application layer events for dropped packets or flows should be logged as part +of the drop event, when their corresponding transaction is completed (which also +happens when the flow is dropped). Therefore, we should not see ``sip`` events +after ``pcap_cnt: 4``, since there's a drop in ``pcap_cnt: 5`` and the flow is +dropped with packets 6 and 7 due to the applayer error exception policy. + +# Redmine ticket + +https://redmine.openinfosecfoundation.org/issues/5802 diff --git a/tests/bug-5802/suricata.yaml b/tests/bug-5802/suricata.yaml new file mode 100644 index 000000000..a2f9e65cc --- /dev/null +++ b/tests/bug-5802/suricata.yaml @@ -0,0 +1,29 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + types: + - alert: + tagged-packets: yes + - anomaly: + enabled: yes + types: + decode: no + stream: yes + applayer: yes + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop + # per flow direction. All logs each dropped pkt. + - flow + - sip + +action-order: + - pass + - drop + - reject + - alert diff --git a/tests/bug-5802/test.rules b/tests/bug-5802/test.rules new file mode 100644 index 000000000..ca13c4b2a --- /dev/null +++ b/tests/bug-5802/test.rules @@ -0,0 +1,2 @@ +alert tcp any any -> any any (flow:to_server; sid:1;) +drop udp any any -> any any (flow:to_server; sid:2;) diff --git a/tests/bug-5802/test.yaml b/tests/bug-5802/test.yaml new file mode 100644 index 000000000..2e06568c2 --- /dev/null +++ b/tests/bug-5802/test.yaml @@ -0,0 +1,20 @@ +pcap: ../sip-body-frames/public-cloudshark-sip-s0.pcap +args: +- --set app-layer.error-policy=drop-flow +- --simulate-ips +- -k none +checks: + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 4 + match: + event_type: alert + alert.signature_id: 2 + - filter: + count: 3 + match: + event_type: sip diff --git a/tests/detect-udp-flow-rule-01/suricata.yaml b/tests/detect-udp-flow-rule-01/suricata.yaml new file mode 100644 index 000000000..a2f9e65cc --- /dev/null +++ b/tests/detect-udp-flow-rule-01/suricata.yaml @@ -0,0 +1,29 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + types: + - alert: + tagged-packets: yes + - anomaly: + enabled: yes + types: + decode: no + stream: yes + applayer: yes + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop + # per flow direction. All logs each dropped pkt. + - flow + - sip + +action-order: + - pass + - drop + - reject + - alert diff --git a/tests/detect-udp-flow-rule-02/suricata.yaml b/tests/detect-udp-flow-rule-02/suricata.yaml new file mode 100644 index 000000000..a2f9e65cc --- /dev/null +++ b/tests/detect-udp-flow-rule-02/suricata.yaml @@ -0,0 +1,29 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + types: + - alert: + tagged-packets: yes + - anomaly: + enabled: yes + types: + decode: no + stream: yes + applayer: yes + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop + # per flow direction. All logs each dropped pkt. + - flow + - sip + +action-order: + - pass + - drop + - reject + - alert diff --git a/tests/detect-udp-flow-rule-02/test.rules b/tests/detect-udp-flow-rule-02/test.rules new file mode 100644 index 000000000..031f1bea5 --- /dev/null +++ b/tests/detect-udp-flow-rule-02/test.rules @@ -0,0 +1,2 @@ +alert tcp any any -> any any (flow:to_server; sid:1;) +alert udp any any -> any any (flow:to_server; sid:2;) diff --git a/tests/detect-udp-flow-rule-02/test.yaml b/tests/detect-udp-flow-rule-02/test.yaml new file mode 100644 index 000000000..0f9f568be --- /dev/null +++ b/tests/detect-udp-flow-rule-02/test.yaml @@ -0,0 +1,16 @@ +pcap: ../sip-body-frames/public-cloudshark-sip-s0.pcap +args: +- --simulate-ips +- -k none +- --set app-layer.error-policy=drop-packet +checks: + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 3 + match: + event_type: alert + alert.signature_id: 2 diff --git a/tests/droped-flow-applayer-event-logged-dcerpc/README.md b/tests/droped-flow-applayer-event-logged-dcerpc/README.md new file mode 100644 index 000000000..8d9438881 --- /dev/null +++ b/tests/droped-flow-applayer-event-logged-dcerpc/README.md @@ -0,0 +1,14 @@ +Test +==== + +It seems that Suricata will log an applayer event for a dropped flow, for the +second packet of the flow. This test demonstrates such behavior, so we can +investigate it. + +This test demonstrates this behavior with the SMB version 3 protocol. + + +PCAP +==== + +PCAP found on Wireshark Wiki. diff --git a/tests/droped-flow-applayer-event-logged-dcerpc/input.pcap b/tests/droped-flow-applayer-event-logged-dcerpc/input.pcap new file mode 100644 index 000000000..014c3dc29 Binary files /dev/null and b/tests/droped-flow-applayer-event-logged-dcerpc/input.pcap differ diff --git a/tests/droped-flow-applayer-event-logged-dcerpc/suricata.yaml b/tests/droped-flow-applayer-event-logged-dcerpc/suricata.yaml new file mode 100644 index 000000000..4f1afe04c --- /dev/null +++ b/tests/droped-flow-applayer-event-logged-dcerpc/suricata.yaml @@ -0,0 +1,14 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + types: + - alert: + - flow + - dcerpc + - smb + - drop: + alerts: yes + flows: all diff --git a/tests/droped-flow-applayer-event-logged-dcerpc/test.rules b/tests/droped-flow-applayer-event-logged-dcerpc/test.rules new file mode 100644 index 000000000..b018a2242 --- /dev/null +++ b/tests/droped-flow-applayer-event-logged-dcerpc/test.rules @@ -0,0 +1 @@ +drop dcerpc any any -> any any (msg:"dcerpc rule"; sid:1;) diff --git a/tests/droped-flow-applayer-event-logged-dcerpc/test.yaml b/tests/droped-flow-applayer-event-logged-dcerpc/test.yaml new file mode 100644 index 000000000..f3622529e --- /dev/null +++ b/tests/droped-flow-applayer-event-logged-dcerpc/test.yaml @@ -0,0 +1,21 @@ +args: +- --simulate-ips +- --set stream.midstream=true +- -k none + +checks: + - filter: + count: 0 + match: + pcap_cnt: 2 + event_type: smb + - filter: + count: 19 + match: + event_type: drop + - filter: + count: 1 + match: + event_type: flow + flow.action: drop + diff --git a/tests/droped-flow-applayer-event-logged-http/README.md b/tests/droped-flow-applayer-event-logged-http/README.md new file mode 100644 index 000000000..7c1f235a0 --- /dev/null +++ b/tests/droped-flow-applayer-event-logged-http/README.md @@ -0,0 +1,15 @@ +Test +==== + +It seems that Suricata will log an applayer event for a dropped flow, for the +second packet of the flow. This test demonstrates such behavior, so we can +investigate it. + +This test demonstrates this behavior with the HTTP protocol. + + +PCAP +==== + +PCAP is the result of extracting the http packets from a pcap representing a +curl to the www.testmyids.com site. diff --git a/tests/droped-flow-applayer-event-logged-http/input-http-ACK.pcap b/tests/droped-flow-applayer-event-logged-http/input-http-ACK.pcap new file mode 100644 index 000000000..c5b1c5155 Binary files /dev/null and b/tests/droped-flow-applayer-event-logged-http/input-http-ACK.pcap differ diff --git a/tests/droped-flow-applayer-event-logged-http/suricata.yaml b/tests/droped-flow-applayer-event-logged-http/suricata.yaml new file mode 100644 index 000000000..d672946e9 --- /dev/null +++ b/tests/droped-flow-applayer-event-logged-http/suricata.yaml @@ -0,0 +1,13 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + types: + - alert: + - flow + - http + - drop: + alerts: yes + flows: all diff --git a/tests/droped-flow-applayer-event-logged-http/test.rules b/tests/droped-flow-applayer-event-logged-http/test.rules new file mode 100644 index 000000000..5e239544c --- /dev/null +++ b/tests/droped-flow-applayer-event-logged-http/test.rules @@ -0,0 +1 @@ +drop http any any -> any any (msg:"http rule"; sid:1;) diff --git a/tests/droped-flow-applayer-event-logged-http/test.yaml b/tests/droped-flow-applayer-event-logged-http/test.yaml new file mode 100644 index 000000000..3c5faea4c --- /dev/null +++ b/tests/droped-flow-applayer-event-logged-http/test.yaml @@ -0,0 +1,21 @@ +args: +- --simulate-ips +- --set stream.midstream=true +- -k none + +checks: + - filter: + count: 1 + match: + event_type: http + pcap_cnt: 2 + - filter: + count: 1 + match: + event_type: drop + - filter: + count: 1 + match: + event_type: flow + flow.action: drop + diff --git a/tests/droped-flow-applayer-event-logged-smb/README.md b/tests/droped-flow-applayer-event-logged-smb/README.md new file mode 100644 index 000000000..8d9438881 --- /dev/null +++ b/tests/droped-flow-applayer-event-logged-smb/README.md @@ -0,0 +1,14 @@ +Test +==== + +It seems that Suricata will log an applayer event for a dropped flow, for the +second packet of the flow. This test demonstrates such behavior, so we can +investigate it. + +This test demonstrates this behavior with the SMB version 3 protocol. + + +PCAP +==== + +PCAP found on Wireshark Wiki. diff --git a/tests/droped-flow-applayer-event-logged-smb/input.pcap b/tests/droped-flow-applayer-event-logged-smb/input.pcap new file mode 100644 index 000000000..0adc7740e Binary files /dev/null and b/tests/droped-flow-applayer-event-logged-smb/input.pcap differ diff --git a/tests/droped-flow-applayer-event-logged-smb/suricata.yaml b/tests/droped-flow-applayer-event-logged-smb/suricata.yaml new file mode 100644 index 000000000..4c89a119e --- /dev/null +++ b/tests/droped-flow-applayer-event-logged-smb/suricata.yaml @@ -0,0 +1,13 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + types: + - alert: + - flow + - smb + - drop: + alerts: yes + flows: all diff --git a/tests/droped-flow-applayer-event-logged-smb/test.rules b/tests/droped-flow-applayer-event-logged-smb/test.rules new file mode 100644 index 000000000..c1dc7f067 --- /dev/null +++ b/tests/droped-flow-applayer-event-logged-smb/test.rules @@ -0,0 +1 @@ +drop smb any any -> any any (msg:"smb rule"; sid:2;) diff --git a/tests/droped-flow-applayer-event-logged-smb/test.yaml b/tests/droped-flow-applayer-event-logged-smb/test.yaml new file mode 100644 index 000000000..3cfc1fb67 --- /dev/null +++ b/tests/droped-flow-applayer-event-logged-smb/test.yaml @@ -0,0 +1,22 @@ +args: +- --simulate-ips +- --set stream.reassembly.depth=0 +- --set stream.midstream-policy=drop-flow +- -k none + +checks: + - filter: + count: 1 + match: + event_type: smb + pcap_cnt: 2 + - filter: + count: 53 + match: + event_type: drop + - filter: + count: 1 + match: + event_type: flow + flow.action: drop + diff --git a/tests/threshold/threshold-config-rate-filter-drop-hostdst/test.yaml b/tests/threshold/threshold-config-rate-filter-drop-hostdst/test.yaml index 1b351c028..65594aa5f 100644 --- a/tests/threshold/threshold-config-rate-filter-drop-hostdst/test.yaml +++ b/tests/threshold/threshold-config-rate-filter-drop-hostdst/test.yaml @@ -1,5 +1,5 @@ requires: - min-version: 7 + min-version: 7 args: - --set threshold-file=${TEST_DIR}/threshold.config @@ -16,3 +16,8 @@ checks: match: event_type: drop drop.reason: threshold detection_filter +# due to the drops, we don't expect to see any http event + - filter: + count: 0 + match: + event_type: http